From 88038b21e2b78445e9e35cbb9d1c6019ce48d26b Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Fri, 17 Nov 2023 18:31:35 +0100
Subject: [PATCH] implemented whitelisting of anonymous docker volumes

---
 roles/health-docker-volumes/README.md          | 15 ++++++++-------
 .../files/health-docker-volumes.sh             | 18 +++++++++++++++---
 .../templates/health-docker-volumes.service.j2 |  2 +-
 3 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/roles/health-docker-volumes/README.md b/roles/health-docker-volumes/README.md
index 8350a5e3..94680cf4 100644
--- a/roles/health-docker-volumes/README.md
+++ b/roles/health-docker-volumes/README.md
@@ -2,23 +2,24 @@
 
 ## Description
 
-This role checks for anonymous Docker volumes that are not bound to a container and may be left over from previous operations. It provides a cleanup mechanism by identifying such volumes and possibly taking action against them.
+This role checks for anonymous Docker volumes that are not bound to a container and may be left over from previous operations. It provides a cleanup mechanism by identifying such volumes, excluding any that are whitelisted, and possibly taking action against them.
 
 ## Files
 
-- `vars/main.yml`: Variable definitions for the script's directory.
+- `vars/main.yml`: Variable definitions for the script's directory and whitelist.
 - `handlers/main.yml`: Handlers to reload and restart the systemd service and timer.
-- `files/health-docker-volumes.sh`: The script that checks for anonymous Docker volumes.
+- `files/health-docker-volumes.sh`: The script that checks for anonymous Docker volumes and excludes whitelisted volumes.
 - `tasks/main.yml`: Tasks to create necessary directories, copy scripts, and create systemd service and timer.
-- `templates/health-docker-volumes.service.j2`: Systemd service template.
+- `templates/health-docker-volumes.service.j2`: Systemd service template, including the whitelisted volumes as a parameter.
 - `templates/health-docker-volumes.timer.j2`: Systemd timer template.
 - `meta/main.yml`: Meta information declaring dependencies for the role.
 
 ## Usage
 
-This role can be included in your playbook. Set the `path_administrator_scripts` variable to determine where the health check scripts should reside.
+Include this role in your playbook and set the `path_administrator_scripts` variable to determine where the health check scripts should reside. Define `whitelisted_anonymous_volumes` in `vars/main.yml` with an array of volume IDs that should be ignored by the health check.
 
-The role uses `systemd_notifier` for failure notifications, so ensure this dependency is present in your environment.
+Ensure that the `systemd_notifier` dependency is satisfied for error notifications.
 
 ## Created with AI
-This script was created with the help of AI. The full conversation you find [here](https://chat.openai.com/share/1fa829f1-f001-4111-b1d4-1b2e3d583da2).
\ No newline at end of file
+This script was created with the help of AI. The full conversation you find [here](https://chat.openai.com/share/1fa829f1-f001-4111-b1d4-1b2e3d583da2).
+
diff --git a/roles/health-docker-volumes/files/health-docker-volumes.sh b/roles/health-docker-volumes/files/health-docker-volumes.sh
index 880b644b..2de4ee21 100644
--- a/roles/health-docker-volumes/files/health-docker-volumes.sh
+++ b/roles/health-docker-volumes/files/health-docker-volumes.sh
@@ -1,17 +1,29 @@
 #!/bin/bash
 
+status=0
+
+# The first argument is a space-separated list of whitelisted volume IDs
+whitelist=$1
+whitelisted_volumes=($whitelist)  # Split into an array
+
 anonymous_volumes=$(docker volume ls --format "{{.Name}}" | grep -E '^[a-f0-9]{64}$')
 
 if [ -z "$anonymous_volumes" ]; then
     echo "No anonymous volumes found."
-    exit 0
+    exit $status
 fi
 
 echo "Anonymous volumes found:"
 
 for volume in $anonymous_volumes; do
-    container_ids=$(docker ps -aq --filter volume=$volume)
+    # Check if the volume is in the whitelist
+    if printf '%s\n' "${whitelisted_volumes[@]}" | grep -q "^$volume$"; then
+        echo "Volume $volume is whitelisted and will be skipped."
+        continue
+    fi
 
+    status=1
+    container_ids=$(docker ps -aq --filter volume=$volume)
     if [ -z "$container_ids" ]; then
         echo "Volume $volume is not used by any running containers."
         continue
@@ -29,4 +41,4 @@ for volume in $anonymous_volumes; do
     done
 done
 
-exit 1
+exit $status
diff --git a/roles/health-docker-volumes/templates/health-docker-volumes.service.j2 b/roles/health-docker-volumes/templates/health-docker-volumes.service.j2
index 4ff79212..2b3ff3b9 100644
--- a/roles/health-docker-volumes/templates/health-docker-volumes.service.j2
+++ b/roles/health-docker-volumes/templates/health-docker-volumes.service.j2
@@ -4,4 +4,4 @@ OnFailure=systemd-notifier@%n.service
 
 [Service]
 Type=oneshot
-ExecStart=/bin/bash {{health_docker_volumes_folder}}health-docker-volumes.sh
+ExecStart=/bin/bash {{ health_docker_volumes_folder }}health-docker-volumes.sh "{{ whitelisted_anonymous_docker_volumes | join(' ') }}"